W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2009

Re: Content Sniffing impact on HTTPbis - #155

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 12 Jun 2009 16:38:02 -0700
Message-ID: <7789133a0906121638ya261354me5e3853b1d693ddf@mail.gmail.com>
To: David Morris <dwm@xpasc.com>
Cc: ietf-http-wg@w3.org
On Fri, Jun 12, 2009 at 4:05 PM, David Morris<dwm@xpasc.com> wrote:
> On Fri, 12 Jun 2009, Ian Hickson wrote:
>> I don't mind making this requirement non-normative (since as you say it's
>> implicit), but I do think we should explicitly state that file extensions
>> don't and mustn't have an effect, since it is so common to use them for
>> this exact purpose in clients.
>
> I find it absurd to disallow use of file extensions given that on most OSes,
> there is no other mechanism to annotate content type. And they are a common
> way web servers choose content/type values.

For better or worse, we can't use file extensions as part of the
content sniffing algorithm because it's insecure.  In many attack
scenarios, the attacker chooses the file extension.

> Legislating our result into irrelevance is the likely outcome of dictating
> against common practice without a better commonly available alternative.

Neither Firefox nor Chrome uses the file extension in their sniffing
algorithm.  Safari uses the file extension only in one corner case.  I
don't think we legislating the algorithm to irrelevance with this
requirement.

Adam
Received on Friday, 12 June 2009 23:39:00 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:03 GMT